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Abstract 

The minimum distance is one of the most important combinatorial characteri- 
zations of a code. The maximum likelihood decoding problem is one of the most 
important algorithmic problems of a code. While these problems are known to be 
hard for general linear codes, the techniques used to prove their hardness often rely 
on the construction of artificial codes. In general, much less is known about the hard- 
ness of the specific classes of natural linear codes. In this paper, we show that both 
problems are NP-hard for algebraic geometry codes. We achieve this by reducing a 
well-known NP-complete problem to these problems using a randomized algorithm. 
The family of codes in the reductions are based on elliptic curves. They have positive 
rates, but the alphabet sizes are exponential in the block lengths. 

1 Introduction 

An [n, k] q linear error-correcting code is a linear subspace of a vector space F™, where F g 
denotes the finite field of q elements, and k denotes the dimension of the subspace. The 
Generator Matrix for a linear code is a k x n matrix, with row rank k which defines a linear 
mapping from (called the message space) to F™. Therefore, the code C is: 

C = {aG\a e Fg}. 

We call a vector in C a codeword. The most important codes include the Reed-Solomon 
codes, the Reed-Muller codes, the BCH codes and the algebraic geometry codes. 

The Hamming Distance between two codewords x and y, is the weight (number of 
nonzero coordinates) of x — y. The minimum distance of a code is the minimum Hamming 
distance between any two codewords. If the code is linear, then the vector x — y is a 
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codeword, and the minimum distance of the code is equal to the minimum weight of any 
codeword. 

Given a linear code as input, how hard is it to compute the minimum distance? This 
problem had been open for two decades before it was finally solved by Vardy in 1997 |16j . 
when he proved that the problem is NP-complete. Interestingly, determining whether a 
code contains a codeword of a given weight was known to be NP-complete much earlier 
jS]. However, if we know that the minimum distance of a code is d, it merely implies that 
there is a codeword of weight d, and for any w < d, there is no codeword of weight w. It 
is not clear that for any n > w > d, whether there exists a codeword of weight w or not. 
Thus there is no straight-forward reduction from this problem to the minimum distance 
problem. 

Dumer et.al. [7j studied how hard it is to approximate the minimal distance of a linear 
code. They showed that the minimum distance of a linear code is not approximable within 
any constant factor in random polynomial time, unless NP=RP. The codes used in the 
work of them and Vardy JH] are artificially designed. Their results exhibit that it is hard 
to compute the minimum distance for the general linear codes, but say nothing specific 
about any of the well-studied and widely-deployed codes. 

To use a code in practice, one must have an efficient decoding algorithm. Traditionally, 
unique decoding algorithms, which correct errors of weight at most half of the minimum 
distance of a code, have been investigated for natural classes of codes. The discovery of such 
algorithms, which provide a means to correct errors, enable the widespread application of 
error-correcting codes. The list decoding problem can correct more errors and outputs a list 
of codewords, any of which may be the intended message. In the last decade, spectacular 
success in the area of list decoding has been achieved, its influence can be seen throughout 
theoretical computer science, ranging from the approximation algorithm and the average 
case complexity, to pseudorandomness and derandomization. The ultimate goal, the max- 
imum likelihood decoding problem, is one of the central problems in algorithmic coding 
theory. For any vector y in F™, it asks for a codeword x to minimize the distance between 
x and y. Given that a received word is equally likely to contain an error in any position, 
codewords that are closest to the received word (i.e. differ in fewer coordinates) are most 
likely to encode the intended message. This problem is proved to be NP-hard for general 
linear codes |5 . Proving NP-hardness for the classes of useful codes is more difficult and 
subtle. The only result of this kind to date is the result of ^U] on the NP-completeness 
of maximum likelihood decoding for Reed-Solomon codes. A related result by Cheng and 
Wan [S] shows that decoding of Reed-Solomon codes at certain radius is at least as hard 
as discrete logarithm problem over finite fields. 

In this paper, we prove that the minimum distance problem and the maximum likelihood 
decoding problem are NP-hard for a natural class of codes, namely, the algebraic-geometry 
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codes. The algebraic geometry codes can be seen as a generalization of the Reed-Solomon 
codes. While the study of algebraic geometry codes began as a purely mathematical pursuit, 
an increased understanding of their unique combinatorial properties promises that they will 
find real-world applications in the foreseeable future. 

In combinatorics, it is often hard to explicitly construct an object which is, in certain 
aspects, better than a random object. A family of algebraic geometry codes is one of a 
few bright spots, where we can explicitly construct a code having more codewords than a 
random code given the block length and the minimum distance. Moreover, given proper 
representations, these codes possess a polynomial time list decoding algorithm P], which 
corrects errors well beyond half of the minimum distance. In contrast, a random code 
usually does not have a good decoding algorithm due to its lack of algebraic structure. 

Proving the NP-hardness of the maximum likelihood decoding of algebraic geometry 
codes (MLDAGC) answers the most important question about the decodability of this 
class of codes. Proving the NP-hardness of the minimum distance problem for algebraic 
geometry codes (MDPAGC) is also well motivated. The designed distance, which is a lower 
bound of the minimum distance, can be easily obtained from the description of the codes. 
Less attention is paid to the problem of computing the exact minimum distance. 

Also, the minimum distance problem for general linear codes defied solution for so 
long time, one would imagine that the problem for codes with algebraic structures is more 
subtle. If a code has a good list decoding algorithm, while at the same time computing 
its minimum distance is hard, then we cannot easily find a center of a Hamming ball with 
the list decodable radius that contains two codewords at the minimum distance from each 
other. This illustrates deep structural information about the code which may uncover 
properties of the code that we have not yet realized. 

A nice surprise about our proofs is its conceptual simplicity. We use the subset sum 
problem directly, thus all of the results on the preprocessing subset sum problem can be 
readily carried over to the algebraic geometry codes. However our reductions are random- 
ized, which we would prefer to avoid. The need for randomization seems to occur in places 
where we deal with number theory and primes. In ^E] and jTU] , an irreducible polynomial 
over F2 is needed. Even though there is no polynomial time algorithm which finds an 
irreducible polynomial over a finite field of a given degree, there does exist a deterministic 
algorithm which finds an irreducible polynomial of a given degree over finite fields of fixed 
number of elements [T3J. This explains why the reduction in ^B] and ^U] is deterministic. 

Our reduction always maps a "Yes" instance to a "Yes" instance, and maps a "No" 
instance to a "No" instance in expected polynomial time. The reductions in [7j is a reverse 
unfaithful random reduction, which always maps a "No" instance to a "No" instance, but 
with a small probability, maps a "Yes" instance to a "No" instance. 

The minimum distance problem, and the maximum likelihood decoding problem, cor- 
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respond to the shortest vector problem and the closest vector problem in integral lattices. 
These problems have received a lot of attentions recently |3J H2] . The attempts to find a re- 
duction from the minimum distance problem of linear codes to the shortest vector problem 
of lattices have failed so far. 

2 Elliptic curves 

The Reed-Solomon code of block length n and dimension k is obtained by evaluating 
polynomials of degree k — 1 at a set of n many elements in a finite field. For a linear [n, k] q 
code, the Singleton bound asserts that d < n — k + 1. The Reed-Solomon codes are optimal, 
in that they satisfy the Singleton bound with equality. It is trivial to read the minimum 
distance of Reed-Solomon codes from the block length and the dimension. 

The algebraic geometry codes are natural generalizations of the Reed-Solomon codes. 
Let K be a function field over a finite field F. Let Ai, A 2 , • • • , A n , B\, B 2 , • • • , B m be 
F-rational places. Let a 1 ,a 2 ,--- , a n , &i, b 2 , ■ • • ,b m be positive integers. Given a divi- 
sor A = YH=i a iA-i — YliLihBi, define L(A) to be the set of functions, each has poles 
only at Ai,A 2 ,--- ,A n with multiplicities at most ai, a 2 , ■ • • ,a n respectively, has zeros 
at Bi,B 2 ,--- ,B m with multiplicities at least bi,b 2 ,--- ,b m respectively. The functions 
in L(A) form a linear space over the field F. It has dimension no less than deg(A) — 
g + 1, where g is the genus of the function field, and deg(A) = 5^=1 fli ~ Slii For 
the divisor A, we can construct a linear code, whose codewords are obtained by evalu- 
ating the functions in L(A) at rational places Pi,P 2 ,--- ,P n , where {Pi,P 2 ,--- ,P n } H 
{A U A 2 ,--- ,A n ,B 1 ,B 2 ,--- ,B rn } = 0. 

To prove that computing minimum distances of algebraic geometry codes is NP-hard, 
we use codes defined by curves of genus one, i.e., elliptic curves, we first review some facts 
about elliptic curves. An elliptic curve is a smooth cubic curve. Let F be a field. If the 
characteristic of F is neither 2 nor 3, we may assume that an elliptic curve is given by an 
equation 

y 2 = x 3 + ax + b, a,b G F. 

The discriminant of this curve is defined as — 16(4a 3 +276 2 ). It is essentially the discriminant 
of the polynomial x 3 + ax + b. It should be non-zero for the curve is smooth. For detailed 
information about elliptic curves, we refer the reader to Silverman's book [T^]. The set of 
F-rational points on the elliptic curve consists of the solution set over F of the equation 
plus a point at infinity, denoted by O. These points form an abelian group with the infinity 
point as the identity. We use E(F) to denote the group. From now on, let F be the finite 
field F q . The following properties of elliptic curves are relevant to our result. 
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1. Let Pi, P 2 , • • • , P n , P be elements in E(F q ). If m x P x + m 2 P 2 + h m n P n = P, 

where m.j, 1 < i < n, are positive integers, then there is a function having zeros at 
Pi, P 2 , • ■ • , Pi, with multiplies mi, m 2 , • • ■ , m n respectively, a pole at P with multi- 
plies 1 and a pole at O with multiplies mi + m 2 H — ■ + m n — 1. We can compute the 
function in time polynomial in mi + m 2 + • • ■ + m n and logg 11 . 

2. For a given divisor A, we can in polynomial time compute a basis of L(A). In 
particular, since (x)oo = 20, (y)oo = 30, and consequently, (V)^ = 2zO, (a;^ 1 ?/)^ = 
(2i + 1)0, we can compute a basis for L(aO) quickly, and it contains only monomials. 

3. If deg(A) > 1, then dimension of L(A) is deg(A). 

4. Let p = 2 (mod 3) be a prime. The curve y 2 = x 3 + 1 is a supersingular elliptic curve 
over F p . The group E(F P ) contains p + 1 elements and it is cyclic. 

Lemma 1 For any prime q > 3, we can in randomized polynomial time find another prime 
p = 0(q 2 ) and construct an elliptic curve E/F p and a point G G E(F p ) such that the G 
has order q. 

Proof: Find another prime p such that p = — 1 (mod q) and p = 2 (mod 3). This can 
be done easily if randomness is allowed. We can first solve the system of congruences using 
the Chinese Remainder Theorem. If the solution is p = a (mod 3g), we select a random 
number 1 < x < q, and test whether a + 3qx is prime or not. By the Siegel-Walfisz theorem 
concerning the density of primes in arithmetic progression, the probability that we get a 
prime is at least 1/ log *- 1 '' 3q. Set p = a + 3qx if we find a prime. 

Consider the curve E : y 2 = x 3 + 1 over F p . It is supersingular hence E(F p ) is a cyclic 
group with order p + 1. We try to find a point P in the group such that 2±ip ^ q Since 

the group is cyclic, the number of points P such that ^pP = O is so there is an 
overwhelming chance of success. Once we find a P satisfying £±ip ^ O, set G = ^^P. It 
is easy to verify that G G E(F P ) is a point with order g. □ 

The curve we construct is supersingular, therefore it is not suitable for elliptic curve 
cryptosystems if p is small, since the discrete logarithm problem on those elliptic curves 
can be reduced to the discrete logarithm problem in F p 2. For practical purposes, there is 
an efficient method based on the theory of complex multiplication to construct a nonsuper- 
singular curve of a given order, but it seems hard to prove the performance in theory. 

In the proof, we need randomness to find a large order point on an elliptic curve. To 
deterministically find any point on an elliptic curve is still an open problem, even though 
an efficient and simple Las Vegas algorithm exists. 
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3 The NP-hardness proof of the MDPAGC 



We reduce the following well known subset sum problem to the problem of computing 
minimum distances of algebraic geometry codes. 

Instance: A set of n positive integers A = {a 1; 02, CI3, • • • , a n }, a positive integer b and a 
positive integer k < n. 

Question: Is there a nonempty subset {a ii: a i2 , ■ ■ ■ , a; fe } C A of cardinality k such that 

a h + a i2 -\ h a ik = b. 

First we prove a slight variety of the problem is also NP-hard. 

Lemma 2 The following problem (prime field subset sum problem,) is NP-hard: 

Instance: A prime q, a set of n positive integers A = {ai, a 2 , 03, • ■ • , a n }, an integer b and 
a positive integer k < n. 

Question: Is there a nonempty subset {a^, a i2 , ■ ■ ■ ,a ik } C A of cardinality k such that 

a h + Oj 2 + • • • + a ik = b (mod q). 

To prove the lemma, we simply reduce the subset sum problem to it by finding a prime 
bigger than a± + + 03 + • • • + a n + b in an instance of the subset sum problem. It is 
interesting to note that it seems hard to prove the NP-completeness under the polynomial 
time Karp reduction, since such a reduction would give rise to a deterministic algorithm to 
find a prime bigger than a given number, but no such an algorithm is known. The problem 
was listed as open in PQ. Derandomizing the algorithm is very interesting, given that a 
deterministic polynomial time primality testing algorithms was discovered recently j2]. 

Theorem 1 Given a instance of the prime field subset sum problem, we can in randomized 
polynomial time, construct an algebraic geometry code [n,k] p with p = 0(q 2 ) such that if 
the answer to the prime field subset sum problem is "YES", then the code has minimum 
distance n — k. If the answer to the prime field subset sum problem is "NO", then the code 
has minimum distance n — k + 1. 

Proof: Given an instance of the prime field subset sum problem, by Lemma ^ we 
can construct an elliptic curve E over F p , p = 0(q 2 ) , with a point G of order q. Let 
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Q = bG. Now consider an algebraic geometry codes generated by evaluating functions in 
L(Q + (k — 1)0) at 

Pi = a\G, P 2 = (I2G, ■ ■ ■ , P n — ct n G. 

By the Singleton bound, we know that the minimum distance is at most n—k+1. This code 
has designed distance n — k, thus the minimum distance is at least n — k. Let fx, / 2 , • - ■ , fk 
be a basis of L(Q + (k — 1)0), the generator matrix of the code is 

//l(Pl) /i(P 2 ) ... /l(Pn)\ 
/ 2 (Pl) / 2 (P 2 ) ... / 2 (Pn) 

••• /*(Pn)/ 

If there exists a subset {a ii; a i2 , ■ ■ • ,a ik } C {a 1; a 2 , - • • , a n } such that a il +a i2 +- ■ -+a ik = 
b (mod q), then p x + p 2 + • — h P ik = Q in P(F P ). Thus there exists a function / having 
zeros at p x , p 2 , • • • , p fc with single multiplicity, a pole at O, with single multiplicity, and a 
pole at O with multiplicity — 1. We have / G L(Q + (k — 1)0). Such a function is unique 
up to a constant factor. The codeword corresponding to / has weight n — k, because it has 
k zeros in {P 1; P 2 . • • • , P n }. 

In the other direction, if the minimum weight of the codewords is n — k, there exists a 
function / G L(Q + (k — 1)0) whose has zeros at k many points in Pi, P 2 , ■ • • , P„. Denote 
them by P ix , Pj 2 , • • • , P ifc . Since it can have no more than k poles, counting multiplicities, 
it must have exactly k zeros, and all the zeros have single multiplicity. Thus it must have 
k poles as well. It has a pole at Q with multiplicity 1 and a pole at O with multiplicity 
k - 1. That is to say (/) = P h + P h H + P ik - Q - (k - 1)0. Hence in E(F P ) 

P tl + P 2 + ■ ■ ■ + P lk = Q. 

We have 

a^G + a,i 2 G + • • • + a ik G = bG. 
It implies that + a i2 + ■ ■ ■ + ai k = b (mod q). 

□ 

The reductions in the proofs are randomized. We need to use randomness to find a 
prime of certain size and a point on an elliptic curve of the prime order. Once we find such 
a prime or point, we can provide a proof of the primality or the order. On the contrary, 
in Dumer et.al.'s work [7j, they need randomness to locate a good center, for a Hamming 
ball of certain radius containing many codewords. Even though with a high probability, a 
random received word qualifies, no proof of this fact can be provided. 
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Corollary 1 If there is a polynomial time Las Vegas algorithm to compute the minimum 
distance of an algebraic geometry code, then NP C ZPP. If there is a polynomial time 
randomized algorithm to compute the minimum distance of an algebraic geometry code, then 
NP C RP. 

Corollary 2 Deciding whether an algebraic geometry code is maximum distance separable 
is NP-hard. 

We can also use one point divisor codes by reducing the following problem to MDPAGC. 
The detail will be left in the full paper. 

Instance: A set of n integers {ai, a 2 , - ■ ■ , a n } and k, a prime q. 
Question: Are there k integ such that 

+ a i2 + h a ik = (mod q) 

4 A time complexity lower bound for computing the 
minimum distance 

For the above analysis, it is easy to see that we can in time 2 n (log q)°^ compute the 
minimum distance of an elliptic code in [n, k] q . Does there exist a better algorithm? If 
a problem is NP-hard, we do not expect to find an algorithm solving it in polynomial 
time, no even in subexponential time. However, for NP-hard problems, sometimes we can 
find exponential algorithms beating the trivial exhaustive search. What can we do in the 
case of the minimum distance problem of algebraic geometry codes? We can ask the same 
question for general linear codes as well: can we compute the minimum distance in time 
2 cn (logq)°^ for some small c? 

Ajtai et.al. 0j have studied the problem. They proposed an algorithm that solves the 
problem in time 2 0(jl ' if the field size is bounded by a polynomial in n. The exact constant 
hidden in big-0 is not calculated in their paper. 

The elliptic curve discrete logarithm problem (ECDLP) is to compute / such that Q = 
IP, given P,Qe E(F q ). It is obviously an NP-easy problem, and is not believed to be 
NP-hard. This is for sure a randomized polynomial time reduction from the ECDLP to any 
NP-hard problem, including the minimum distance problem of an algebraic geometry code. 
In this section, we present a succinct reduction. We reduce ECDLP over F q to the problem 
of computing the minimum distance of algebraic codes in [n, k] q , where n < [log . 
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It is assumed in the elliptic curve cryptography that there is no algorithm which runs in 
time q c for c < 1/2 to solve ECDLP in F q . Under the assumption, we have a lower bound 
on the time complexity of computing the minimum distance of linear codes. 

Theorem 2 For any constant c > 0, if there is an algorithm which in time 2 cn (logg)°( 1 - ) 
computes the minimum distance of a linear code [n, k] q , then the ECDLP over F q can be 
solved in time q c . 

Proof: 

Suppose that we need to compute the discrete logarithm of Q base P on elliptic curve 
E(F q ). W.l.o.g, we assume that P has a prime order p. Note that we must have p < 
q + l-2^q. 

Denote the largest even number which is not bigger than [jogpj by n. Randomly select 
a positive integer r < p, computer R = rQ. With probability ( n ™ 2 )/2 n > l/n ^, the 
discrete logarithm of R is an integer, when written in binary, has exactly n/2 ones and n/2 
zeros. 

Now consider the code C generated by evaluating functions in L(R + (n/2 — 1)0) at 
P = P,P\ = 2P, P 2 = 2 2 P, • • • , P n -i = 2 n ~ 1 P. By the similar reasoning, the minimum 
distance of the code is n/2 iff R can be written as a sum of n/2 points from P , P±,--- , P n -\- 
Denote the set of these n/2 points by D. Let Cj be the code generated by evaluating func- 
tions in L(R + (n/2 — 1)0) at P , Pi, • • • , Pj_i, Pi+i, ■ ■ ■ , P n -i- We can find D by asking 
the question where the minimum distance of Oj, for 1 < % < n, is n/2. Basically, Pi e D 
iff the answer for O; is "No" . We solve the discrete logarithm problem immediately after 
we get D. □ 



5 The maximum likelihood decoding for AG-codes is 
NP-hard 

The dimension of linear space L((k — 1)0) over F q is k — 1 for an elliptic curve. The 
dimension of linear space L(Q + (k — 1)0), Q ^ O, is k. Let /i, • • • , fk-i be a basis for 
L((k - 1)0), and /' be a function in L(Q + (k — 1)0) - L((k - 1)0). Then f u / 2 , • • • , f k _ x 
and /' form a basis for L(Q + (k — 1)0). It is fairly easy to find an /'. We can simply pick 
one point Q' {Q, O}, compute Q" = Q — Q'. Let l\ be the line passing Q' and Q", let l 2 
be the line passing Q and —Q. We then set /' = l\/l 2 - 

Lemma 3 Consider the code generated by evaluating functions in L((k—1)0) at Pi, P 2 , ■ ■ ■ ,P 7 
Suppose the received word is R = (f'(Pi), f'(P 2 ), ■ ■ ■ , f'(P n )). Then 



9 



1. the distance from R to the code is either n — k + 1 or n — k 

2. the distance from R to the code isn—k iff there is a subset P^, ■ ■ ■ ,Pi k of P±, P 2 , • • • ,P r . 
such that 

P h +P 2 + --- + P ik = Q 

Proof: 

It is clear that R is not a codeword, since if /' G L(Q + (k — 1)0) takes the same values 
as a function in L((k — 1)0) at n distinct points, it must be equal to the function, but /' 
has a pole at Q. 

If the distance is less than n — k, it means that there is a function / G L((k — 1)0) such 
that /' — / has more than k distinct zeros in {Pi, P 2 , • • • , P n }. But /' — / G L(Q + (k — 1)0) , 
it has at most k poles. A contradiction. 

If the distance from R to the code is n — k, there is a function / G L((k — 1)0) such 
that f' — f has k distinct zeros. Let them be P^, ■ ■ ■ , Pj fc . The function f' — f must have 
a pole at Q with multiplicity 1 and a pole at O with multiplicity k — 1. Therefore, we have 
(f'-f)=P il + ... + P ik -Q-(k- 1)0 and in E(F p ) 

P n + ... + P lk = Q. 

In the other direction, if there is a subset P^, • • • , p fe of Pi, P2, • • • , P n such that 

Pn + P 2 + • • • + Pi k = Q 
This implies that there is a function g such that 

(g)=P ll + ... + P lk -Q-(k-l)0. 

It is clear that g G L(Q + (k - 1)0), thus g = f + af, where / G L((fc - 1)0) and a^O. 
The vector R is at distance n — k away from the codeword obtained by evaluating the 
function —f/a at Pi, P2, • • • , P n . 

To prove that the distance is at most n — k + 1, compute P' = Q — Pi — P 2 — ■ ■ ■ — Pk-i- 
If P' G {Pfc, Pfc+i, • • • , P n }, then we have shown that the distance from R to the code is 
n — k. Assume that it is not the case. There exists a function g' such that 

(«/) = P n + • • • + P fe _ x + P' - Q - (k - 1)0. 

Since g' G L(Q + (k - 1)0), we have that g' = af + f for some / G L((k - 1)0) and 
a G F*. This shows that the distance from P to the code is not longer than n — k + 1. □ 
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Theorem 3 Given a received vector, computing the distance from the vector to an ellip- 
tic code is NP-hard. Therefore, the maximum likelihood decoding problem for algebraic 
geometry codes is NP-hard. 

Proof: Given an instance of the prime field subset sum problem, we construct an elliptic 
curve E over F p , p = 0(q 2 ) , with a point G of order q. Let Q = bG, and let /' be a function 
in L{Q + (k — 1)0) — L((k — 1)0). Now consider an algebraic geometry code generated by 
evaluating functions in L((k — 1)0) at Pi = a\G, Pi = a<iG, • • • , P n — a n G. According to 
Lemma El the answer to the prime field subset sum instance is "Yes", iff the distance from 
R = if (Pi), f'W, • • • , f'(Pn)) to the code is n - k. 

□ 

Applying the result about the preprocessing subset sum problem [T3], we get 

Corollary 3 There is a sequence of algebraic geometry codes C\,Ci, •■■ , C*, where 
Ci G [i,k] qi , such that the existence of polynomial size circuits which solve their maximum 
likelihood decoding problems implies that NP C P/poly. 

6 Concluding remarks 

In this paper, we prove that computing minimum distances and the maximum likelihood 
decoding are NP-hard for algebraic geometry codes. Our results rule out the possibility of 
polynomial time solutions for these two problems, unless NP = ZPP. 

The Reed-Solomon codes can be thought of as a special case of algebraic geometry codes, 
in which we use the rational function field. Let O be the infinity point on the projective 
line. The functions l,x, x 2 , • • • ,x k form a basis for L(kO). In jB], the authors study 
Hamming balls centered at the vectors (r(x) / h(x)) -p , where r and h are polynomials in 
order to prove that the bounded distance decoding for the Reed-Solomon codes is hard. 
The function f(x)/h(x) has poles at point other than O. Some results in jH] follow a similar 
line. In the proof of Lemma El we use /' to generate a received word, it has poles at a place 
other than O. We suspect that further exploration of this connection between rational 
functions with a different pole and decoding problems would prove fruitful. 

Our results use algebraic geometry codes based on elliptic curves. In many ways, the 
elliptic codes are very similar to the Reed-Solomon codes. Intuitively we expect that the 
decoding problem for elliptic codes is the easiest among all algebraic geometry codes. We 
leave it as an open problem to prove that both problems are NP-hard for codes based on 
curves of any fixed genus. 
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The most interesting family of algebraic geometry codes has a fixed alphabet. The 
codes in our results have alphabets of exponential size. Nonetheless, we observe that all 
the known decoding algorithms for algebraic geometry codes are not sensible to the size of 
the alphabets. Our results indicate that if a polynomial time maximum likelihood decoding 
algorithm for algebraic geometry codes does exist, it can only work for codes with a small 
alphabet size. We conjecture that the maximum likelihood decoding is NP-hard even for a 
family of algebraic geometry codes with a fixed alphabet, and leave it as an open problem. 
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